Server 2012 VPN with L2TP

finsfree

Member
Hi Guys,

I'm trying to to setup a VPN connection to my Server 2012. I was able to make the connection in a virtual environment, however I'd like to be able to connect from the WAN side (outside). I have been unsuccessful so far.

I believe my issue is with IKE. Here is the log file from my firewall. In the firewall i did enable port 500, 1701, 4500.
upload_2017-9-9_17-30-56.png
 

beers

Moderator
Staff member
What client are you using for the client side of the tunnel?

Can you post config bits? It sounds like maybe a payload mismatch such as tunneled vs header etc.
 

finsfree

Member
My Remote Access Server 2012 is virtual.

To be on a different network, I'm using a laptop connect to my iPhone's hotspot. I know it's not ideal but this is my setup.

config bits?
 

voyagerfan99

Master of Turning Things Off and Back On Again
Staff member
1. Be sure you have the necessary ports open or forwarded to the server in your router/firewall
2. Verify your settings are correct in the VPN client [passphrase, encryption settings, etc.] (I am assuming you are using the built in Windows VPN)
 

finsfree

Member
Yes, I'm using the built in VPN on Server 2012. All of the necessary ports are open.

What client are you using for the client side of the tunnel?

Can you post config bits? It sounds like maybe a payload mismatch such as tunneled vs header etc.

What are config bits?
 
Last edited by a moderator:

finsfree

Member
Update !

I can connect with a smart phone (iOS or Android) to the Windows Server 2012 VPN, but I cannot connect with a computer (Win10).

I receive this error message:
upload_2017-9-14_16-4-29.png
 

voyagerfan99

Master of Turning Things Off and Back On Again
Staff member
Doesn't look like you have the correct ports open/forwarded to the server in your router/firewall.

L1TP requires:
TCP 1701
UDP 500 - This is for the security association (also called the SA) to negotiate the security method, whether it's a password, certificate or Kerberos.
AH - Also called Authenticated Headers. This is Protocol ID 50 - and like above, this is not a port, and it depends on your firewall on how to configure it.
ESP - Encapsulated Secure Payload. This is Protocol ID 51 - and like above, this is not a port, and it depends on your firewall on how to configure it.


If you want just a basic VPN you can do SSTP instead which only requires port 443.
 

finsfree

Member
I'm using L2TP/IPSec for a VPN protocol. I did enable AH and ESP on the Zywall USG 20 firewall.

Everything is pointing to my Windows Server 2012 (Serv3).

Ports that are open on the firewall:
  • 1701 UDP
  • 500 IKE
  • 4500 NAT-T
NAT Service:
  • 1701 to 1701
  • 500 to 500
  • 4500 to 4500
Here I'll show you the Firewall & NAT settings.
Firewall.JPG NAT.JPG
 
Last edited:

finsfree

Member
I got it finally! There is a lot more you need to do on the server then excepted! Microsoft differently doesn't make it easy.

Thanks for the help CF
 
Top